Why I have a 512 bit PGP key

Perry E. Metzger perry at imsi.com
Tue Dec 27 19:07:54 PST 1994



Eric Hughes says:
>    From: "Ian Farquhar" <ianf at sydney.sgi.com>
> 
> re: personal account tripwire
> 
>    The problem is that although you can protect the data file of
>    hashes (by using a pass phrase to encrypt it), protecting the
>    binary which does the checking is rather more difficult.
> 
> Why not recompile the binary?  All it needs to be is something like
> md5.c.

Read Ken Thompson's Turing Award lecture for why that isn't
sufficient. Its quite amusing.

Lets face it -- if you are truly paranoid, you have to carry your
machine around with you at all times and chain it to you.

Its all a question of threat model. For national security type attacks
nothing less than "chain machine to wrist" will do. For stopping a
casual attack, much less is needed. Its all in the threat model...

Perry






More information about the cypherpunks-legacy mailing list